Background Commonwealth Government agencies (agencies) are required to comply with the Information Privacy Principles (IPPs) in the Privacy Act 1988 (Cth) (the Privacy Act) when handling personal information. At times agencies contract out (outsource) a function that requires a contractor to collect and handle personal informat...

Background

Commonwealth Government agencies (agencies) are required to comply with the
Information Privacy Principles (IPPs) in the Privacy Act 1988 (Cth) (the Privacy
Act) when handling personal information. At times agencies contract out
(outsource) a function that requires a contractor to collect and handle personal
information on behalf of the agency. This information sheet deals with the
obligations of agencies and contractors under the Privacy Act when this occurs.
It replaces the guidelines that the Privacy Commissioner (the Commissioner)
issued in August 1994 called Outsourcing and privacy - Advice for
Commonwealth agencies considering contracting out (outsourcing) information
technology and other functions.

Amendments to the Privacy Act contained in the Privacy Amendment (Private
Sector) Act 2000 (Cth) commence on 21 December 2001.Those amendments contain
new provisions that apply to agencies and their contractors. These new
provisions do not apply to ACT government agencies or their contractors.1

Under this legislation, a contract between an agency and a contractor (or
between a contractor and any subcontractor for such a contract) is to be the
primary source of the contractor's obligations in relation to the personal
information collected or handled for the purpose of performing the contract.
This means that agencies continue to have contractual remedies against a
contractor that breaches a privacy clause in a contract. (Although the agency
will not have contractual rights against the subcontractor.)

The legislation also ensures that contractors and their subcontractors can be
held accountable under the Privacy Act for any breaches of privacy obligations
that they commit. An individual who considers that a contractor or subcontractor
has breached their obligations in the handling of personal information about
them can complain to the Commissioner who has jurisdiction to directly
investigate the actions of the contractor or subcontractor. These are
significant new rights and obligations.

The standards the Commissioner would apply in investigating a complaint are
those set out in the contract. Also, for areas where there is no provision in
the contract that is equivalent to the National Privacy Principles (NPPs) (the
information handling standards that apply to private sector organisations
covered by the Privacy Act), the NPPs are the standard.

Definition of contracted service provider

The definition of 'contracted service provider' (CSP) in section 6(1) of the
Privacy Act includes the terms 'government contract' and 'subcontractor'. The
definitions of those terms and 'Commonwealth contract' are relevant to
understanding the contracting out amendments and to whom they apply. The new
provisions do not apply to the activities private sector contractors carry out
to provide services under contracts with State or Territory governments.
Therefore, the term 'CSP' used in this document only refers to contractors under
Commonwealth contracts and subcontractors for such contracts.

Obligations on Commonwealth agencies contracting out services

Requirements under section 95B

The Privacy Act ensures that an agency cannot use a contract to avoid its own
obligations under the IPPs by authorising a CSP to do something that the agency
itself is not permitted to do.

Contractual measures to prevent breach of IPPs by contractor
When
entering a Commonwealth contract, section 95B of the Privacy Act requires an
agency to take contractual measures to ensure that a CSP for the contract does
not do an act, or engage in a practice, that would breach an IPP if done by the
agency. In particular, the agency must ensure that the Commonwealth contract
does not authorise a CSP for the contract to do or engage in such an act or
practice.

Contractual measures to prevent breach by subcontractor
Some
agencies may have clauses limiting or prohibiting subcontracting. However, where
subcontracting is a possibility the agency must ensure that the Commonwealth
contract contains provisions to ensure that an act or practice that would breach
an IPP is not authorised by a subcontract. One way of doing this is to include
in the primary contract a clause that requires the contractor to include in any
relevant subcontract clauses that impose the same privacy requirements on the
subcontractor as apply to the contractor.

Good practice to refer to NPP obligations of CSPs
Agencies are only
required to include privacy clauses in Commonwealth contracts that are
consistent with their own obligations under the Privacy Act. However, the NPPs
apply to the activities of a CSP in relation to the Commonwealth contract in
areas where the IPPs have no equivalent provisions. To give a CSP a complete
picture of its privacy obligations in relation to its activities under the
contract it would be good practice for agencies to include in the contract
provisions that also refer to the relevant NPPs.

Application of section 95B to existing contracts
Section 95B does
not apply to contracts that an agency has already entered into before 21
December 2001. So agencies are not required to amend contracts they have entered
into before this date to comply with the requirements of section 95B. However,
the Commissioner encourages agencies to review and take steps to amend their
contracts where it is possible and reasonable to do so. A minimal step would be
to write to each contractor and let them know how the new provisions (and in
particular the NPPs) will apply to them from 21 December 2001.

An agency would have to ensure that any contract it renews after 21 December
2001 complies with section 95B requirements.

Consequences of breaching section 95B
Breaches of section 95B are
likely to become apparent to the Commissioner in the course of regular agency
audits the Office of the Privacy Commissioner (the Office) carries out, or
when an individual makes a complaint that involves a CSP. In the case of an
audit, the Commissioner may require an agency to take a number of steps to
remedy any breach. In the case of a complaint about a CSP that indicates that an
agency may be in breach of section 95B the Commissioner is likely to undertake
an audit to confirm whether or not this is the case.

Contracts to provide services to third parties

Providing services to third parties under a contract
The definition
of a CSP covers:

the provision of services directly to the agency concerned; and

the provision of services to third parties on behalf of an agency, where the
provision of those services is in connection with the performance of the
functions of the agency - section 6(9).

Where a contractor is providing services directly to an agency, it will be
clear that the contractor is a CSP for a Commonwealth contract. However, where
services are to be provided to third parties on behalf of an agency it may be
less clear. In this case, to decide whether the contractor is a CSP for the
purposes of section 95B of the Privacy Act an agency will need to consider
whether the service to be provided under the contract is connected with the
performance of the functions of the agency.

Some ways to work out the functions of an agency would include looking at the
agency's statutory functions and administrative arrangements.

Where a contractor providing services to a third party on behalf of an agency
is a CSP, the agency will need to ensure that the contractor is aware that they
are a CSP in providing those services.

Grants to provide services to
third parties
If the service to be provided under the contract is not
connected with the performance of the functions of the agency then the special
provisions in the Privacy Act about CSPs for Commonwealth contracts including
section 95B do not apply. An example of this might be where an agency enters
into a contract to provide Commonwealth funds (for example, a grant) to a body
to provide services (for example legal or welfare services) to members of the
community. If providing those services is not is not a function of the agency
then the body receiving the grant would not be a CSP for a Commonwealth
contract.

Although the Privacy Act does not require agencies to include contractual
provisions about privacy in these circumstances the Commissioner encourages
agencies to do so as good practice. This is particularly important where the
body receiving funding is exempt from coverage of the Privacy Act (for example,
if it has a turnover of $3 million or less and it is not providing a health
service).

Agency contracting with a State or Territory

CSP is defined in section 6(1) of the Privacy Act to cover certain
organisations. The definition of 'organisation' in section 6C excludes a 'State
or Territory authority' (which is defined in section 6C(3)). Therefore, State or
Territory authorities are not included in the definition of 'CSP'. This means
that a State or Territory authority providing services under contract with an
agency is not covered by the Privacy Act. However, in these circumstances
agencies would still need to consider their obligations under IPP 4(b) to ensure
that everything reasonable is done to prevent unauthorised use or disclosure of
the personal information involved. Agencies should continue to include privacy
clauses in contracts with a State or Territory authority where the authority
will be handling personal information on behalf of the agency.

Obligations on agency contracting offshore

The obligations under section 95B of the Privacy Act to ensure that a CSP
complies with the IPPs apply regardless of whether the contractor is in
Australia or offshore. Extra-territorial operation is achieved by virtue of
section 5B. Section 5B(4) ensures that the Commissioner has jurisdiction to
investigate a complaint in these circumstances. Clearly, however, when
contracting offshore, agencies need to make sure that they are still able to
enforce the provisions of the contract.

Obligations on CSPs continue after contract ends

The use of the past tense in the definition of CSP ensures that obligations
on CSPs to protect any personal information acquired under the contract continue
even after the completion or termination of the contract. It also ensures that
complaints about the acts or practices of CSPs under a Commonwealth contract may
be taken to the Commissioner even after the completion of the contract. It would
be good practice for agencies to include information about this either in the
contract or in other information they give to the CSP.

Small business operators as CSPs

Under the Privacy Act many small businesses are exempt from having to comply
with the NPPs (see section 6D). However, an individual, body corporate,
partnership, unincorporated association or trust cannot take advantage of the
small business exemption for anything they do as a CSP for a Commonwealth
contract. A CSP of whatever size is bound by the legislation (and contract) in
relation to its performance of the contract. The small business exemption could
apply to all its other activities - see sections 6D(4)(e) and 7B(2) of the
Privacy Act.

Additional obligations on CSPs to comply with NPPs (or approved code)

Privacy clauses in Commonwealth contracts prevail where they are inconsistent
with the NPPs or a code to which the CSP may be subject (section 6A(2) and
6B(2)). If a privacy clause in a Commonwealth contract is consistent with a NPP
(or relevant approved code), or if there is no clause in the contract
corresponding to the NPP (or to any approved code), the NPP (or the approved
code) will apply to the CSP concerned.

In practical terms, this means a CSP must comply with the terms of any
Commonwealth contract. In addition, where there is no clause or requirement
under the contract corresponding to a matter covered by the NPPs (or relevant
approved code), a CSP also must comply with those NPPs (or any approved code)
not addressed in the contract in respect of the services it provides to the
agency. This applies to any CSP, including one that is able to claim the small
business exemption in relation to its other activities.

Possible privacy clauses in a Commonwealth contract

Clauses to meet section 95B obligations

Simply having a provision in a Commonwealth contract that says the contractor
agrees not to do an act or engage in a practice that would breach an IPP if that
act or practice was done or engaged in by an agency will generally not be
sufficient to ensure that an agency has met its obligations under section 95B.
In a number of cases agencies will need to have more specific or practical
provisions.

For example, an agency will need to consider how it will go about ensuring
that a contractor does not breach IPP 5. One option may be to maintain a privacy
digest that includes information about the personal information held by
contractors rather than have the contractor do this.

Also agencies currently meet their access obligations under IPP 6 using the
Freedom of Information Act 1982 (Cth) (FOI Act). However this does not apply to
contractors. To ensure that a contractor meets its access obligations, an agency
will need to have specific provisions addressing this. The provisions could
reflect the process that is currently followed under the FOI Act, or the
provisions could reflect the approach adopted in the Guidelines to the National
Privacy Principles and associated information sheets. Agencies may need to get
legal advice about this.

Clauses to meet NPP obligations

CSPs are required to comply with the NPPs where there is no clause in the
contract corresponding to the NPPs (or relevant approved code, whichever is
applicable). Also, some of the NPPs set a higher standard in areas of privacy
covered by the IPPs. To ensure that contractors are aware of their NPP
obligations and to ensure that where appropriate individuals receive a level of
protection for their personal information equivalent to the NPPs where the
standards are higher, it would be good practice for agencies to consider what
provisions they might include to address the NPPs. Issues the agency might like
to consider include:

in relation to NPP 7 (identifiers) - should the contract have provisions
reflecting NPP 7 obligations not to adopt, use or disclose Commonwealth
government identifiers?

In relation to NPP 8 (anonymity) - should the contract require the
contractor to allow individuals interacting with the contractor to remain
anonymous in certain circumstances?

In relation to NPP 9 (transborder data flows) - should the contract require
the CSP to comply with NPP 9 requirements if transferring information overseas
is a requirement of the contract?

In relation to NPP 10 (collection of sensitive information) - if the
contractor is required to collect health or other sensitive information should
there be a provision in the contract that requires the contractor to get the
individual's consent to do so?

Privacy clauses to meet other Privacy Act obligations

In
order to ensure that the CSP is aware of its obligations under section 16F in
relation to direct marketing, the agency could make it clear to the contractor
whether or not the contract requires the CSP to carry out direct marketing for
the purposes of the contract. If the contract does not require direct marketing,
the agency could include a provision that states that the CSP is not to use
information collected under the contract for direct marketing purposes.

Finding out what privacy standards apply

Openness about managing personal information

Both the IPPs and the NPPs require agencies and organisations to be open
about their policies on management of personal information. Consistent with
those requirements, the Privacy Act ensures that policies on the management of
personal information included in clauses in Commonwealth contracts are not
hidden because the contract is classified as 'commercial-in-confidence'.

Provisions inconsistent with NPP or binding code not 'commercial in
confidence'

If a person asks for it, a party to a Commonwealth contract must inform the
person in writing of the content of any provision in the contract that is
inconsistent with an approved code binding a party to the contract or with a NPP
(see section 95C).

By finding out if any provision in the Commonwealth contract is inconsistent
with an approved code or NPP, an individual will be able to work out if a
particular act or practice of the CSP is breaching a privacy clause included in
the Commonwealth contract. For example, the contract may contain a provision
concerning the contractor's ability to use or disclose personal information that
is not consistent with NPP 2. If asked, a party to the contract would be
required to inform the person of the content of that provision.

Compliance by giving a copy of privacy clauses

In practice, to comply with this requirement all an agency or CSP needs do is
provide a copy of the privacy clauses in the relevant contract.

Interference with privacy by CSPs

Section 13A(1)(c) provides that an act or practice of a CSP that breaches a
privacy clause will constitute an interference with privacy. Similarly, an act
or practice of a CSP that breaches a NPP (or a relevant approved code) will
constitute an interference with privacy, where there is no clause in the
contract corresponding to the NPP (or approved code) or if a clause is
consistent with an NPP (or relevant code). An act or practice of a CSP that
contravenes section 16F (which prohibits the use or disclosure of personal
information collected under a Commonwealth contract for direct marketing unless
the use or disclosure is necessary to meet (directly or indirectly) an
obligation under the contract) will also constitute an interference with
privacy.

Application of the Privacy Act to existing contracts

The Privacy Act has some application to contracts made before 21 December
2001 that include privacy clauses. After that date acts or practices of a CSP in
relation to the contract can constitute an interference with the privacy of an
individual under the Privacy Act, despite the fact that the contract may have
been entered before the commencement of the new provisions. Where an agency has
already included privacy clauses in its Commonwealth contract and a CSP breaches
a relevant provision of the contract an individual has the right to complain to
the Commissioner (and the Commissioner has jurisdiction to directly investigate
the acts and practices of the CSP). If an existing Commonwealth contract does
not have privacy clauses in it on 21 December, the NPPs or relevant code will
apply to the acts and practices of the CSP from that date.

Complaints process for Commonwealth contracts

The Commissioner handles complaints about CSPs

The Commissioner handles and investigates all complaints about a CSP even if
the CSP is subject to an approved code that provides for an independent
adjudicator. If the complaint concerns an act or practice of the CSP, the CSP
itself will be the respondent to the complaint, not the contracting agency. The
Commissioner is also required to advise the agency of the investigation or any
decision not to investigate.

Agency can be substituted for respondent in certain
circumstances

Where the CSP is not available or appropriate as respondent to the complaint
for any of the reasons specified in section 50A(1)(b) (the respondent dies,
ceases to exist or becomes bankrupt etc) the Commissioner may choose to
substitute the agency for the CSP as the respondent. However, before making such
a decision, the Commissioner is required to give the agency the chance to appear
before the Commissioner and to make oral and/or written submissions concerning
the proposed substitution of the agency as respondent.

Commissioner's complaint handling process and powers

The Commissioner's usual complaint handling powers under Part V of the
Privacy Act apply to complaints about CSPs. These include wide-ranging powers to
obtain information and to take evidence under oath. The Commissioner tries to
conciliate complaints but where conciliation fails can also make a formal
determination under section 52 which may include:

a declaration that the respondent should redress any loss or damage suffered
by the complainant; and

a declaration that the complainant is entitled to a specified amount by way
of compensation for any loss or damage suffered.

The Commissioner can seek to have such determinations enforced in the Federal
Court or the Federal Magistrates Court.

Substitution of the agency as respondent to
determination

Where the Commissioner's determination includes a declaration that the
complainant is entitled to compensation or reimbursement and the CSP is not
available for any of the reasons specified in section 53B(c) (the respondent
dies, ceases to exist or becomes bankrupt etc), the Commissioner may substitute
the agency as the respondent to the determination. Again, before making such a
decision, the Commissioner must give the agency the chance to appear before the
Commissioner and to make oral and/or written submissions concerning the proposed
substitution.

Summary of matters agencies should consider when contracting out services

Agencies should include appropriate privacy clauses in contracts to ensure
that CSPs do not act in a way that would be a breach of the IPPs if the act or
practice was done by the agency itself.

Agencies should be aware that simply stating in the contract that the CSP
should not breach the IPPs is unlikely to meet their obligations under section
95B and that, in particular, the agency may need specific provisions relating to
openness (IPP 5) and access (IPP 6).

Agencies should also ensure that contracts contain provisions that prevent
subcontracts from authorising an act or practice that would be a breach of the
IPPs if the act or practice was done by the agency itself.

If a contract involves the provision of services to third parties, agencies
should consider whether those services are connected with the performance of
their functions. If the services are connected the agency will need to ensure
that it complies with its obligations under section 95B and ensure the CSP is
aware of the special provisions under the Privacy Act that apply to it.

Agencies should be aware that if there is no clause in the contract
corresponding to the NPP (or to a relevant approved code) in the contract, the
NPP (or the approved code) will apply to the CSP.

Agencies should consider whether it is appropriate to include in the
contract privacy clauses addressing the following NPPs (or the code
equivalent):

o NPP 7

Government identifiers

o NPP 8

Option of remaining anonymous

o NPP 9

Disclosure to organisations in foreign countries

o NPP 10

Collection of sensitive information.

Agencies should state in the contract whether or not the contract requires
the CSP to engage in direct marketing and if the contract does not require
direct marketing it should confirm the CSPs obligation not to use the
information it collects under the Commonwealth contract for direct marketing.

Agencies are required to provide a person who asks for a copy of the privacy
clauses in a contract that are inconsistent with the NPPs (or with a relevant
approved code binding to a party to the contract) with a copy of those clauses.

Agencies should be aware that complaints about acts or practices of a CSP
will be investigated by the Commissioner, with the CSP as the respondent (unless
the Commissioner decides otherwise).

Agencies should also be aware that the Commissioner may substitute an agency
for a CSP as a respondent to a complaint if the organisation that is the
contractor dies, ceases to exist or becomes bankrupt etc, and that the agency
may be liable to pay compensation if the Commissioner so decides.

Summary of matters CSPs should consider when entering Commonwealth
contracts

Even if a CSP is a small business usually exempt from the NPPs, the CSP will
need to comply with the Privacy Act (and the contract) in relation to its
activities under the Commonwealth contract.

A contractor will need to be aware where it provides services to third
parties on behalf of an agency it will be a CSP if those services are connected
with the performance of the functions of the agency. If the services are
connected, the contractor will be subject to special provisions in the Privacy
Act that apply to CSPs. If, as a matter of good practice, an agency has not
indicated whether a service is connected with a function of the agency, a
contractor should check with the agency.

A CSP (and the agency) is required to provide a person who asks for a copy
of the privacy clauses in a contract that are inconsistent with the NPPs (or
with an approved code binding a party to the contract) with a copy of those
clauses.

The Privacy Act prohibits CSPs from using or disclosing personal information
collected under a Commonwealth contract for direct marketing unless the use or
disclosure is necessary to meet (directly or indirectly) an obligation under the
contract.

CSPs should be aware that if there is no clause in the contract
corresponding to the NPP (or to a relevant approved code), the NPP (or the
relevant approved code) will apply to the CSP.

CSPs should be aware that there would be some additional obligations on them
over and above the IPPs (unless the contract otherwise provides) because the
NPPs (or the code equivalent) deal with some things not addressed by the IPPs.
For example:

NPP 7 Government identifiers

NPP 8 Option of remaining anonymous

NPP 9 Disclosure to organisations in foreign countries

NPP 10 Collection of sensitive information.

CSPs should be aware that the Commissioner has the power to investigate
complaints and undertake own motion investigations of acts and practices of
CSPs.

Unless the Commissioner decides otherwise, the CSP will be the respondent to
any complaint to the Commissioner about activities of the CSP and if
compensation is payable, the CSP will be responsible for paying the
compensation.

CSPs should be aware that the NPPs will apply to their business activities
that are not related to the Commonwealth contract unless the CSP is otherwise
exempt (for example, because it is a small business operator in relation to
those activities).

Information sheets are advisory only. They are not legally binding and are
not intended to be a substitute for legal advice.

Information sheets are based on the Office's understanding of how the Privacy
Act works. They are intended to help agencies and organisations apply the
Privacy Act in ordinary circumstances. Agencies and organisations may need to
seek separate legal advice on the application of the Privacy Act to their
particular situation.

Nothing in an information sheet limits the Privacy freedom to investigate
complaints under the Privacy Act or to apply the Privacy Act in the way that
seems most appropriate to the facts of the case being dealt with.

Agencies and organisations may also wish to consult the Commissioner's
guidelines and other information sheets.